Pam-Authentication

[Jan Hebler]

Hi

I try to use PAM according to https://docs.bareos.org/bareos-21/TasksAndConcepts/PAM.html
However, i cannot get the consoles to work:
On the Server:
calahari:~ # cat /etc/bareos/bareos-dir.d/console/bareos.conf
Console {
Name = "bareos-pam"
Password = "1234"
UsePamAuthentication = yes
}

On the Client:
gamer:~ # cat /etc/bareos/bconsole.conf
#
# Bareos User Agent (or Console) Configuration File
#
Director {
Name = bareos-dir
Address = calahari.hebler.de
Password = "Xa9PF"
Description = "Bareos Console credentials for local Director"
}
Console {
Name = "bareos-pam"
Password ="1234"
}

Without the Console-Entries it works, i.e. i get an unlimited console, However, with the Console-Entries the server refuses the connection:

bareos-director.hebler.de (100): dird/job.cc:1479-0 JobId=0 created Job=-Console-.2025-02-26_07.03.24_02
bareos-director.hebler.de (50): lib/cram_md5.cc:106-0 send: auth cram-md5 <1750435901.1740549804@R_DIRECTOR::bareos-director.hebler.de> ssl=2
bareos-director.hebler.de (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-director.hebler.de (100): lib/cram_md5.cc:167-0 cram-get received: auth cram-md5 <1871278402.1740549804@R_CONSOLE::bareos-pam> ssl=2
bareos-director.hebler.de (50): lib/cram_md5.cc:61-0 my_name: <R_DIRECTOR::bareos-director.hebler.de> - challenge_name: <R_CONSOLE::bareos-pam>
bareos-director.hebler.de (99): lib/cram_md5.cc:232-0 sending resp to challenge: uD+MCD/DF5tGi3+8qBRooC
bareos-director.hebler.de (50): lib/tls_openssl_private.cc:325-0 SSL_get_error() returned error value 2
bareos-director.hebler.de (10): dird/authenticate_console.cc:353-0 ERROR: Unable to authenticate console "bareos-pam" at client:192.168.99.197:9101.
bareos-director.hebler.de (50): lib/tls_openssl.cc:306-0 SSL_get_error() returned error value 1
bareos-director.hebler.de (100): lib/tls_openssl_private.cc:90-0 Destruct TlsOpenSslPrivate
bareos-director.hebler.de (100): lib/jcr.cc:378-0 Destruct JobControlRecord
bareos-director.hebler.de (100): lib/jcr.cc:268-0 FreeCommonJcr: 7f7e6005b170
bareos-director.hebler.de (100): lib/bsys.cc:83-0 safe_unlink unlinking: /var/lib/bareos/bareos-director.hebler.de.bareos-director.hebler.de.1442805904.mail
bareos-director.hebler.de (100): lib/bsock.cc:137-0 Destruct BareosSocket

[Bruno Friedmann (bruno-at-bareos)]

Hi Jan, sorry quick short hint,

Did you also review and follow this 

https://github.com/bareos/bareos/tree/master/contrib/misc/bareos_pam_integration

should help you to debug what's going wrong.

[Jan Hebler]

Hi Bruno.

Thanks for the Reply, yes i also follow the instructions there.
Pamtester works:
calahari:~ # sudo -u bareos /tmp/pamtester bareos jan authenticate
Password:
pamtester: Authentication failure
calahari:~ #

The Console without use pam but some ACL#s instead works also. However, if try to use pam, bconsole don't even ask for a username/password but states:

gamer:~ # bconsole
Connecting to Director calahari.hebler.de:9101
Encryption: TLS_CHACHA20_POLY1305_SHA256 TLSv1.3

PAM authentication failed. Giving up.
gamer:~ #

And on the Server i receive a Mail which reads:

27-Feb 07:46 bareos-director.hebler.de: ERROR in dird/authenticate_console.cc:353 Unable to authenticate console "bareos-pam" at client:192.168.99.197:9101.


Regards, Jan

[Jan Hebler]

Sorry, C&P-Failure:

calahari:~ # sudo -u bareos /tmp/pamtester bareos jan authenticate
Password:

pamtester: successfully authenticated
calahari:~ #

Am Mittwoch, 26. Februar 2025, 09:14:26 Mitteleuropäische Normalzeit schrieb
Bruno Friedmann (bruno-at-bareos):